On Wed, March 3, 2010 5:38 am, Jari Fredriksson wrote: > On 3.3.2010 15:34, Jari Fredriksson wrote: >> On 3.3.2010 15:22, twofers wrote: >>> I have 52 of these sitting in my inbox this morning when I came in to >>> work. this is just the beginning. I get literally hundreds of these a >>> day and Spamassassin does not even check them. >>> >>> Thats hundreds of these every day for weeks and weeks and weeks on end. >>> >> >> How about using amavisd-new/clamd/SaneSecurity in your system in >> addition to SpamAssassin. SpamAssassin is not an AntiVirus application >> after all. >> >> I have some SaneSecurity additions in my clamd, as they catch those new >> trojans better than vanilla clamd: >> >> # /etc/clamav-unofficial-sigs.conf >> >> ss_dbs=" >> phish.ndb >> rogue.hdb >> winnow_malware.hdb >> winnow_malware_links.ndb >> spearl.ndb >> scamnailer.ndb >> " >> >> Do NOT add the additional antispam databases to clamd, as they tend to >> be WAY too trigger happy, and SpamAssassin does not a change to do it's >> perfect job on spam.
As the author of the script you're using, as well as the author of one of those additional antispam databases, I would have to disagree with you here. As one of the Sanesecurity rsync mirrors, I also know that there are many very large multi-national companies and large ISPs that use these additional antispam signature databases without issue. > clamd is also possible to integrate to SA using the clamav plugin. That > way amavisd-new is not necessary (while it is excellent) if that seem > to be too much trouble. Also, if you are using amavisd-new or mime-defang, etc, then you should also be using the unofficial ClamAV signature databases in a scoring mode, rather than quarantine mode, as is recommended. This also allows SpamAssassin to see the messages and for AWL and Bayes to learn from the messages. This method also protects from potential false-positives from any one signature, as the score for a signature triggering from the unofficial signature database should not be high enough, on its own, to score the message as spam. Bill
